77°F
weather icon Clear
Las Vegas, NV
Local Las Vegas

Committee to examine Las Vegas’ cybersecurity in wake of August attack

(Thinkstock)
More Stories
(Las Vegas Review-Journal)
Motorcyclist, 50, dies in south Las Vegas crash
Dr. George Chambers, a local OB-GYN, enters the Nevada State Board of Medical Examiners office ...
Medical board prescribes more training for Las Vegas OB-GYN accused of misconduct
Family photos of Killian Straber. (Courtesy of Nicole Straber)
Mom mourns airman son killed in North Las Vegas motorcycle crash
A University Medical Center public safety vehicle waits outside the hospital in Las Vegas Thurs ...
Man dies after crashing car into Las Vegas streetlight pole
By James DeHaven Las Vegas Review-Journal
November 15, 2015 - 12:43 pm
 

Las Vegas leaders have called on a standing committee to "comprehensively examine" the city's approach to cybersecurity.

A pair of City Council members appointed to the city's audit oversight committee on Tuesday tasked that board with figuring out who is responsible for securing the city's computers and what they should be doing to prevent future cyberattacks.

The move came less than a month after the Review-Journal unveiled a clandestine mid-August attack on Las Vegas' computer system carried out by city contractors disguised as janitors.

The hired hackers, armed with guns and City Hall ID passes, managed to breach secured parts of Las Vegas' information technologies department and take over an employee email account before they were rooted out by city staff.

Fallout from the secret exercise — which was commissioned by a handful of top-tier administrators without the prior knowledge or approval of city leaders — has been blamed for the abrupt departure of longtime Chief Information Officer and IT Director Joe Marcella.

The practice hack has also been criticized by City Council members, staffers and security experts who say it should have been handled much differently.

"We have learned some (about the hack) and we'll learn more," said Councilman and audit committee Chairman Bob Coffin. "I'm anxious to make sure all the information needed by the council gets to the council."

Auditor on the case

City staffers, who declined to be identified for fear of retribution, said Marcella was scapegoated after his staff — who did not know the hack was a test — called the FBI and launched an investigation into the incident.

They agreed with cybersecurity experts who said someone in IT should have been warned about the hack so as to prevent a disproportionate response to the exercise.

Employees went on to echo experts' concerns over Marcella's exit and raise questions about City Manager Betsy Fretwell's role in his departure.

An IT-backed investigation into the hack apparently was never completed.

Marcella said Fretwell — or someone else privy to the exercise — ordered his investigative team to "stand down" long before the feds could respond to the hack. Fretwell has refused to confirm or deny the exercise ever took place.

Councilman Coffin remains curious about who gave the order to halt IT's probe into the hack, and why.

He said he's not sure if the answers to those questions are within the audit committee's purview, but said for now, City Auditor Radford Snelding won't be prevented from finding out.

Response still murky

Snelding, who answers directly to the City Council, said he first read about the hack in the newspaper and hadn't seen any vendor contracts or after-action reports associated with the exercise.

He said he's already working on getting hold of some of those documents, which the city refused to hand over to the Review-Journal, citing internal security concerns.

Councilman Bob Beers said Snelding needs to know what steps were taken after the hack and, perhaps above all, who took them.

He acknowledged that a longstanding turf war over tech security responsibilities is being waged between IT and Detention and Enforcement staffers, who run Las Vegas' jail and oversee security at city facilities.

Beers hopes new information to be dug up by the audit committee can help clear up that dispute.

"We're asking what the city is doing in cybersecurity," Beers said. "Some of that effort may or may not be taking place in the city auditor's office. I know some of that effort is taking place outside the city auditor's office.

"I still don't believe there's anything improper, at all, but Radford should know about the results of the test."

Mistakes made?

City Chief Financial Officer Mark Vincent said Detention and Enforcement — the department Marcella said relayed the message to shut down the hacking investigation — was in on the August practice hack, along with the city manager's office.

Department chief Michele Freeman declined through a spokesman to comment on the matter.

That leaves questions surrounding who came up with the exercise, and why it was kept a secret, to the city's elected leaders — the only ones in a position to seek answers from Fretwell.

Three-term City Councilwoman Lois Tarkanian hopes they get those answers, and soon.

"I have to know what mistakes were made, if any," she said. "I intend to look into the matter further."

City audit committee members plan to revisit the issue in January.

Contact James DeHaven at jdehaven@reviewjournal.com or 702-477-3839. Find him on Twitter: @JamesDeHaven

MOST READ
Don't miss the big stories. Like us on Facebook.
THE LATEST
MORE STORIES